Equifax

Smart is...

Uncovering potential security threats before business is affected.
A global leader in information solutions, Equifax holds one of the largest stores of consumer and commercial data. So it’s no surprise that Equifax executives have set the bar high when it comes to security, with a goal to achieve ISO 27001 certification across all its locations by 2013. To achieve this, Equifax has undergone a ground-up security transformation, applying comprehensive protection with advanced intelligence and analytics to help staff uncover and stay ahead of threats. This work has helped Equifax remain a trusted steward of the world’s data—as it has been for more than 100 years.

Smarter Security: Using advanced intelligence to uncover persistent threats

Instrumented: Integrates system logs, security logs and application information into a single repository.
Interconnected: Combines historical data with near-real-time alerts to provide a big picture view of potential vulnerabilities and threats.
Intelligent: Analyzes data to uncover patterns and provide security staff with actionable information to stay ahead of both known and unknown threats.

As a global leader in information solutions, Equifax holds one of the largest stores of consumer and commercial data—income data, unemployment data, asset and wealth data, property data, credit scores, and much more. As a result, security is of paramount importance to both Equifax and the people and organizations it serves.

“We receive data from banks, utilities, and other organizations and we add analytics and information to it so our customers can make better decisions with greater confidence,” says Tony Spinelli, a security industry veteran who joined Equifax in September 2005 as chief security officer. “That data is provided to us because we’ve been a trusted steward of information for more than 113 years. With that trust, it is important that we have the best security in the world.”

Transforming security from the ground up

In late 2005, Equifax’s board of directors met with executives to discuss evolving security risks. At the time, most companies were concerned with closing vulnerabilities that hackers could exploit.

However, as criminals began to strategically target companies over a period of months, and even years, to steal data or intellectual property, Equifax executives recognized a more holistic approach was needed—one that would enable administrators to “put disparate pieces of information together” and uncover new threats from patterns of activity.

“Number one, we have to confirm that we have a strong network and that our servers have the right set of security,” says Spinelli. “Number two, we have to make certain that the applications serving our commercial and consumer entities don’t have weaknesses or vulnerabilities. Finally, we believe that security intelligence will differentiate us and allow us to proactively address a threat before a problem occurs.”

According to Spinelli, one of the goals that emerged from those 2005 conversations was a focus on exceeding ISO 27001 standards across its organizations worldwide. It was a mandate that led staff to re-examine every aspect of its security infrastructure and create a framework that could help the company stay ahead of both known and unknown threats.

Stopping Internet threats before they impact business

As part of its work, Equifax moved from a standard network detection model to an intrusion prevention framework using IBM Security Network Intrusion Prevention System software. The solution enables what Nick Nedostup, vice president of Security Operations for Equifax, calls “deep packet inspection” to identify malicious behavior and threats hidden within network traffic. Supported with intelligence on new threats from IBM® X-Force® Research and Development team, the solution helps Equifax proactively identify and prevent evolving threats.

“For almost six years, we’ve run in full intrusion prevention mode with IBM Security Network Intrusion Prevention System software and we haven’t had an instance with it stopping revenue traffic or good traffic,” says Spinelli. “It’s been a great solution for us in stopping bad traffic and it’s given us great confidence in how we operate.”

On the application side, Equifax uses IBM Security AppScan® software to uncover vulnerabilities and weaknesses across nearly 200 Internet-based applications.

“Using IBM Security AppScan software, we can effectively conduct dynamic scanning of our web applications to confirm we have all the right controls in place and that our applications are secure,” says Nedostup. “I need tools that provide best-in-breed security components, while, at the same time, are easy to use. In every case where we evaluated IBM products, they succeeded in defeating the competitors.”

Uncovering advanced persistent threats

For Equifax, maintaining the industry’s trust also required the ability to understand events in a larger context.

Nedostup explains: “We need to understand how many times an event has happened in the past, with what frequency, and by whom, so we can better determine whether the event is an anomaly or something that is posing as a persistent threat against our environment.”

To achieve this, Equifax used IBM Security QRadar® SIEM to combine historical data (system logs, security logs, application information) with real-time alerts and gain a big picture view of potential vulnerabilities and threats. The system can uncover patterns—such as unusual activity on a sensitive server—that Spinelli and Nedostup say humans are likely to miss.

“The IBM Security QRadar product has been fantastic in bringing us insight that we didn’t have previously,” says Spinelli. “It has also allowed us to gain efficiencies by providing our security analysts with actionable intelligence and information instead of having them have search through a haystack of information, trying to find something important. Together, the IBM Security solutions have allowed us to pursue industry certifications, such as PCI and ISO 27001, and gain trust from our customers, which ultimately has led to greater wallet share.”

The inside story: Getting there

What advice does Spinelli offer others who are looking to transform security within their organizations?
“The first lesson was to really involve the business—the CEO and the CEO’s direct reports,” he says. “Ask them what they want from security. Do they want a world-class security organization? Do they want to meet ISO 27001 standards? Get them involved and you might be surprised at the support you get.”

Second, he says, is to let executives know what to expect.

“One of the things that is counterintuitive about security is: If you put new security systems in and everything is getting better, you’ve completely failed,” Spinelli says. “What you should see from new security investments is a massive increase in security issues, because where you had blinders on before, you’re going to have massive visibility.”

Business benefits

● Increased revenue through greater customer trust
● Helped support ISO 27001 certification efforts
● Increased analyst efficiency through immediate access to actionable intelligence

Solution components

Software
● IBM® Security QRadar® SIEM
● IBM Security Network Intrusion Prevention System
● IBM Security AppScan®

For more information

To learn more about how IBM can help you transform your business, please contact your IBM sales representative or IBM Business Partner. Visit us at: ibm.com/security

For more information about Equifax, visit: www.equifax.com